Looming GDPR Euro law sends ICANN back to drawing board

You may no longer be able to see the name, email or house address for whoever owns a specific domain name under new rules proposed by DNS overseer ICANN.

Such details will be removed from the Whois service that covers hundreds of millions of domain names across the world in order to comply with new European privacy legislation that comes into force this May.

Instead, if you wish to contact a domain name owner you will be given an anonymized email address that will then forward to that owner's real email.

However, law enforcement, and possibly intellectual property lawyers, will still be able to access the full registration details after they pass through an accreditation system designed by the world's governments.

The internet industry – ICANN, registries and registrars – will continue to have full access to registrant details. And domain name holders will be allowed to opt-in to have their full details published online.

That, in a nutshell, is the proposal [PDF] put forward by ICANN having left it to the last minute and put out no less than 12 different solutions last month in an effort to comply with the General Data Protection Regulation (GDPR).

The proposal will be discussed and possibly approved at ICANN's upcoming meeting in Puerto Rico later this month.

Unresolved

But there remain several unresolved issues that will impact millions of people worldwide.

For one, it's not clear whether the new system will be applied globally or only for domain name holders that live in Europe. ICANN has proposed allowing registrars – the companies that register domains on others' behalf – to make that decision themselves.

It's also not clear who will be allowed to view the full information that includes people's personal details. ICANN has proposed that its Governmental Advisory Committee (GAC) comes up with an accreditation system and also approve the organizations that will be allowed to bypass the privacy system and get immediate access to the full data.

It's uncertain how that process will play out or even whether the GAC will be able to come up with a system before the May deadline. In the meantime, ICANN proposes letting registrars and registries decide who is allowed access.

The loudest yelling will come from intellectual property lawyers who want access to Whois data in their efforts to identify who is behind websites serving pirated content. They will want to make sure they are included in the accredited groups.

Given America's strong support for intellectual property lawyers and litigation, however, an obvious solution will be for the US government to provide accreditation to such groups, forward their names and details to ICANN, and then ICANN will tell its registries and registrars to give them access.

Privacy advocates are almost certain to complain that giving governments the right to decide who is allowed to access such data puts dissidents in authoritarian countries at risk from being investigated by intelligence services. But it's hard to see how ICANN could decide it was a greater authority on personal data than a national government.

ICANN has punted on the question of whether under a new system registrars would be obliged to check the authenticity of the registration details they are provided with: even after accreditation, law enforcement could find that they are trying to track Mickey Mouse or another fictitious name for his domain name ownership.

And it has also punted on the issue of so-called proxy services where registrars charge an extra fee to put their own details in place of your personal details in order to provide extra privacy.

But, taken overall, it is a logical, commonsense approach to dealing with the Whois issue – and one that should have been put in place more than a decade ago.

We go now to the UK

Meanwhile, talking of last-minute consideration, this week the .UK registry Nominet published an online survey asking for opinions on its own changes to its Whois service in light of GDPR.

Nominet is effectively proposing the same system as ICANN – with people's details hidden unless you are an accredited organization, although Nominet has already decided – somewhat dubiously – that IP lawyers are allowed access to the full data, and for some reason so is the Internet Watch Foundation.

Nominet has decided to address the proxy issue and proposing a new set of rules to cover proxies in light of the GDPR changes, although those rules are currently quite vague.

Nominet has also proposed removing the requirement of people with a second-level .UK address to provide an address based in the UK before they are allowed to register a domain.

But perhaps most controversially given the topic under consideration, Nominet asks for respondents to its survey to provide their name, address, email and telephone address before responding to the survey. And then gives itself the right to use those details however it wishes, including providing them to third parties, without providing an option for people to opt-out.

It seems there is still some way to go before there is a general acceptance that people have a default right to privacy. ®